Git checkout failed due to self-signed certicate on jenkins on k8s

8/12/2019

I set up a jenkins in my k8s cluster with helm chart , when checking out code, it says

hudson.plugins.git.GitException: Command "git fetch --no-tags --force --progress https://someghe.com/***/***.git +refs/heads/feat/***:refs/remotes/origin/feat/***" returned status code 128:
stdout: 
stderr: fatal: unable to access 'https://github.xxx.com/xxx/xxx.git/': SSL certificate problem: self signed certificate in certificate chain

    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2042)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1761)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:72)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:442)
    at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:655)
    at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:153)
    at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$1.call(RemoteGitImpl.java:146)
    at hudson.remoting.UserRequest.perform(UserRequest.java:212)
    at hudson.remoting.UserRequest.perform(UserRequest.java:54)
    at hudson.remoting.Request$2.run(Request.java:369)
    at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
    at java.lang.Thread.run(Thread.java:748)

I tried to add certificates in both master and agent by using my own images .

  1. In dockerfile I COPY certs into image and updated certificate with update-ca-certificate
  2. In pod template settings in jenkins, modify the image to my custom image.

But the error is still there, I tried to run the agent image using both docker run and kubectl run, they can both git clone successfully.

Then I tried to update git config using git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crt but still not working.

Master dockerfile

FROM jenkins/jenkins:lts

COPY some_ca.crt $JAVA_HOME/jre/lib/security
COPY some_ca.crt /usr/local/share/ca-certificates/CA.crt
USER root
RUN cd $JAVA_HOME/jre/lib/security \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias some_ca -file some_ca.crt && update-ca-certificates
ARG user=jenkins
USER ${user}

Agent dockerfile

FROM jenkins/jnlp-slave:3.27-1

COPY some_ca.crt $JAVA_HOME/jre/lib/security
COPY some_ca.crt /usr/local/share/ca-certificates/Douban_CA.crt
USER root
RUN cd $JAVA_HOME/jre/lib/security \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias some_ca -file some_ca.crt && update-ca-certificates && \
    git config --global http.sslCAInfo /etc/ssl/certs/ca-certificates.crt && git config --global http.sslVerify false
ARG user=jenkins
USER ${user}
-- Leo Que
git
jenkins
kubernetes
self-signed-certificate

0 Answers